The Week In Breach March 26th – April 1st
It was a very active week in breach. Aside from the volume of events, it’s important to note the diversity of industries impacted is impressive. Both traditional credential-based compromises and advanced persistent threats were equally damaging. Additional takeaways from this week include:
Overall time to detect and respond is increasingly concerning.
– APT detection times ranged from +/- 30 days to 10 months.
– Credential exploit detection ranged from +/- 10 days to “unknown.”
Highly targeted Phishing attacks routinely circumvent detection tools.
– Individuals with elevated or privilege access are increasingly targeted.
Attack complexity on the rise.
– Attack damage elevated as combo extracts (Employee and Customer data) becoming more prevalent.
– Attackers increasingly extracting long form/ string data often with more than 5 PII/ data elements that can be used to exploit.
- MyFitnessPal
Date Occurred: February 2018
Date Disclosed: March 2018
Data Compromised: May include usernames, emails addresses, and hashed passwords. Payment information NOT affected.
How it was Compromised: Unauthorized party access
Customers Impacted: 150 million users
Attribution: None at this time
Business Risk: Moderate (Data Exploit, Compromised Credentials, Weak Encryption)
Since motivation is unknown at this time its hard to determine how the data may be used and its direct impact on individuals compromised. The dataset holds 3 key data elements: Email, Username and Password. “Most” Password were encrypted using becrypt, however, it appears a large percentage were simple SHA-1. Financial data was collected and housed separately, a solid best-practice.
https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html
- Ohio Applebee’s
Date Occurred: December 6, 2017 – January 2, 2018
Date Disclosed: March 2, 2018
Data Compromised: Certain guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods could have been affected.
How it was Compromised: Unauthorized software placed on the point-of-sale system at certain RMH-owned and -operated Applebee’s restaurants were designed to capture payment card information and may have affected a limited number of purchases made at those locations.
Customers Impacted: Only impacted stores within the RMH network of restaurants and not the broader Applebee’s network.
Attribution: None at this time
Business Risk: Low (POS exploit, Regional)
This POS compromise was regional in scope and would have more of a direct impact to individuals rather than businesses. We will continue to monitor for chatter/ uptick in online financial fraud levering this data set.
https://www.rmhfranchise.com/dataincident/
- Boeing
Date Occurred: Early 2018
Date Disclosed: March 2018
Data Compromised: Not disclosed at this time
How it was Compromised: “Limited intrusion of Malware” WannaCry, Supply Chain
Customers Impacted: “A small number of systems”; older systems
Attribution: Nation-State leanings. WannaCry, Crypto-malware
Business Risk: High (External / Persistent Targeting, Crypto, Vulnerability Exploit)
Although Boeing is publicly downplaying its impact, the company called for a sent company-wide alert calling for “All hands-on-deck.” It’s apparent that the infections caused major disruptions to airplane production and significant internal resources were spent on determining downstream impacts.
There has been significant chatter regarding alternate payload distribution and kill switch circumvention. Boeing most certainly would have beefed up its resiliency to WannaCry after its initial outbreak in 2017. This suggests that supply chain access to Boeing core systems was exploited to deliver the payload.
https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/
- Active.com
Date Occurred: December 2016 – September 2017
Date Disclosed: March 2018
Data Compromised: PII used in registration/checkout process for races
How it was Compromised: Unauthorized access by 3rd parties
Customers Impacted: Potentially hundreds of runners in Great Britain affected; full effects not known.
Attribution: None at this time
Business Risk: Low (POS exploit, Regional)
Small-scale POS exposure impacted several hundred individuals in the UK. 3rd party intel firms suggest data has been sold on dark web markets in TOR. However, we have not validated the sale or exploitation of this data as of 4/2/18.
https://www.runnersworld.co.uk/events/credit-card-details-from-runners-potentially-at-risk-in-a-security-breach
- Loganville, Gwinnett County, GA
Date Occurred: March 15, 2018
Date Disclosed: March 2018
Data Compromised: May include PII such as social security numbers and/or banking information
How it was Compromised: City server breached by outside person or entity
Customers Impacted: Specifics unknown
Attribution: None at this time
Business Risk: Moderate (External / Persistent Targeting, Vulnerability Exploit)
The city’s announcement on Facebook suggests that its systems were left open to public access. It has yet to be determined/ disclosed if access was the result of an individual leveraging default password access or if systems were left unpatched and open to automated exploit. It does not appear to be related to the City of Atlanta’s Samsam ransomware compromise from March 22.
- Baltimore 911 Dispatch System
Date Occurred: March 24-25, 2018
Date Disclosed: March 2018
Data Compromised: Hack affected messaging functions within the Computer Aided Dispatch (CAD) system which supports 911 and 311 functions in the city.
How it was Compromised: Crypto-malware hack prompted a temporary shutdown of automated 911 dispatching services and forcing reversion to manual operations.
Customers Impacted: Specifics unknown
Attribution: Unknown actors – assumed Eastern European, Crypto-malware
Business Risk: Severe (External / Persistent Targeting, Human Error, Vulnerability Exploit)
The attack shows constant scanning and targeting of public sector systems. Attackers performed an automated scan of the city’s firewall/ ports within a few hours of a technician manually changing firewall settings on its computer-aided dispatch system.
https://technical.ly/baltimore/2018/03/28/cyber-breach-baltimores-911-dispatch-system-investigation/
- Orbitz
Date Occurred: October 1, 2017 – December 22, 2017
Date Disclosed: March 1, 2018
Data Compromised: Potentially wide range of PII including full names of customers, credit card numbers, birth dates, phone numbers, mailing addresses, billing addresses and email addresses.
How it was Compromised: Hackers able to breach one of the company’s legacy booking platforms to access records that cover dates between January 2016 – December 2017.
Customers Impacted: Orbitz customers and potentially customers who used Amextravel.com to book.
Attribution: Unknown actors
Business Risk: High (Vulnerability Exploit, potential for widespread online fraud)
It took Orbitz almost 3 months to discover that attackers exploited a legacy version of their travel booking platform between October 1, 2017 and December 22, 2017.
Data impacts more than 880,000 individuals. The string of PII compromised combined with business itinerary information provides the ability to effectively social engineer impacted individuals. Individuals should proactively monitor their personal data for misuse.
https://thehackernews.com/2018/03/expedia-data-breach.html
- Hudson’s Bay Co. (Saks /Lord & Taylor)
Date Occurred: “Preliminary analysis” found credit card data was obtained for sales dating back to May 2017
Date Disclosed: April 1, 2018
Data Compromised: Hackers stole information for more than 5 million credit and debit cards used at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores. Cards used for in-store purchases. “No indication” online purchases were affected.
How it was Compromised: Not known at this time.
Customers Impacted: The breach likely impacted more than 130 Saks and Lord & Taylor locations across the country, but the “majority of stolen credit cards were obtained from New York and New Jersey locations.”
Attribution: Hacking syndicate JokerStash or Fin7 began boasting on dark websites last week that it was putting up for sale up to 5 million stolen credit and debit cards. The hackers named their stash BIGBADABOOM-2.
Business Risk: High (POS compromise, the potential for widespread online fraud)
Chatter about datasets began to surface 2 weeks back but was largely discounted. The Joker’s Stash site has been touted several comprehensive sets of validated credit card data going back to 2016 including Hilton and BeBe Stores.
The data set contains more than 5 million credit and debit cards (all card types with complete data strings). This dataset will produce significant online credit and debit card fraud. Any organization running e-commerce platforms are urged to add additional card validation requirements until card issuers are able to invalidate all cards identified in the harvest.
https://www.nytimes.com/2018/04/01/technology/saks-lord-taylor-credit-cards.html
- ATI Physical Therapy
Date Occurred: Unknown – discovered in January 2018.
Date Disclosed: Early March 2018
Data Compromised: ATI Holdings discovered in January that some employees’ direct deposit information had been changed in its payroll system. At least one of the hacked email accounts included patient names, birth dates, driver’s license numbers, Social Security numbers, credit card numbers, diagnoses, and medication and billing information, among other data.
How it was Compromised: May have been compromised after hackers got ahold of email accounts belonging to the Bolingbrook, Illinois-based chain’s employees.
Customers Impacted: As many as 35,000 patients of ATI Physical Therapy and its subsidiaries. ATI Physical Therapy has more than 100 clinics in Illinois and hundreds of others across 24 other states.
Attribution: Not known at this time.
Business Risk: High (Compromised Email Accounts, Lateral movement, Downstream Exploit)
With the hallmarks of organized crime, this compromise was able to extract and manipulate both employee and customer data. The downstream impacts are widespread and will have adverse impacts on impacted individuals. Privilege access was leveraged to re-route banking information and extract comprehensive medical records/ datasets on thousands of patients.
This is a devastating compromised that allowed attackers to move laterally within their victim’s network for an undetermined length of time.
https://www.hipaajournal.com/ati-physical-therapy-data-breach-impacts-35000-patients/
- CareFirst
Date Occurred: Unknown
Date Disclosed: Discovered March 12, 2018; disclosed late March 2018
Data Compromised: The breached email account allowed the attackers access to the employee’s emails, the attack could have compromised personal information on about 6,800 CareFirst members — including names, member identification numbers and dates of birth. The company said the information did not include medical or financial data. CareFirst also disclosed, in the case of eight members, social security numbers may have been compromised.
How it was Compromised: CareFirst employee was the victim of a phishing attack, which compromised their email account. In this case, the compromised CareFirst email account was used to send spam messages to an email list of individuals, which the insurer said were not associated with CareFirst.
Customers Impacted: Potentially 6,800 CareFirst members
Attribution: Not known at this time.
Business Risk: High (Phishing, Compromised Credentials)
Well-crafted Phishing attack harvesting compromised credentials. Expect more information on this compromise to surface in the coming week. The public response to this compromise falls in line with how most large organizations are messaging their exposures. It’s becoming commonplace for organizations to generalize the numbers impacted to minimize negative public reaction.
https://www.databreachtoday.com/carefirst-bluecross-blueshield-hacked-a-8248
MSPs need to up end-user training and mandate 2-factor on any mission-critical application or assets that house any exploitable data.
Credential data mixed with additional PII elements surfacing on TOR over the coming months will produce a spike in targeted credential exploit as well as downstream social engineering and identity theft.
The Week in Breach is a new benefit for ID Agent Partners! If you’d like to get this weekly report contact [email protected].